b'  Department of Health and Human Services\n                     OFFICE OF\n                INSPECTOR GENERAL\n\n\n\n\n WEAKNESSES IN MOLINA MEDICAID\n SOLUTIONS\xe2\x80\x99 INFORMATION SYSTEM\n GENERAL CONTROLS OVER IDAHO\xe2\x80\x99S\nMEDICAID CLAIMS PROCESSING SYSTEM\n    INCREASE VULNERABILITIES\n\n\n\n    Inquiries about this report may be addressed to the Office of Public Affairs at\n                             Public.Affairs@oig.hhs.gov.\n\n\n\n\n                                                    Thomas M. Salmon\n                                                 Assistant Inspector General\n                                                      for Audit Services\n\n                                                          July 2014\n                                                        A-09-13-03001\n\x0c                        Office of Inspector General\n                                         https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                         Notices\n\n\n    THIS REPORT IS AVAILABLE TO THE PUBLIC\n              at https://oig.hhs.gov\n\n Section 8L of the Inspector General Act, 5 U.S.C. App., requires\n that OIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\n The designation of financial or management practices as\n questionable, a recommendation for the disallowance of costs\n incurred or claimed, and any other conclusions and\n recommendations in this report represent the findings and\n opinions of OAS. Authorized officials of the HHS operating\n divisions will make final determination on these matters.\n\x0c                                     EXECUTIVE SUMMARY\n\n Idaho did not ensure that its contractor Molina Medicaid Solutions implemented\n adequate information system general controls over Idaho\xe2\x80\x99s Medicaid Management\n Information System. We identified 21 reportable weaknesses in access controls,\n configuration management, and security management.\n\n\nWHY WE DID THIS REVIEW\n\nThe U.S. Department of Health and Human Services (HHS) oversees States\xe2\x80\x99 use of various\nFederal programs, including Medicaid. State agencies are required to establish appropriate\ncomputer system security requirements and conduct biennial reviews of computer system\nsecurity used in the administration of State plans for Medicaid and other Federal entitlement\nbenefits. This review is one of a number of HHS Office of Inspector General (OIG) reviews of\nStates\xe2\x80\x99 computer systems used to administer HHS-funded programs.\n\nIn a prior OIG audit, we reviewed the security of the Idaho Department of Health and Welfare\xe2\x80\x99s\n(State agency) Medicaid network. As part of the State agency\xe2\x80\x99s overall administration of the\nMedicaid claims processing system, the State agency contracted with Molina Medicaid Solutions\n(Molina) to operate its Medicaid Management Information System (MMIS). This review\nfocused solely on Molina\xe2\x80\x99s information system general controls over the State agency\xe2\x80\x99s MMIS.\n\nOur objective was to determine whether the State agency ensured that Molina implemented\nadequate information system general controls over the State agency\xe2\x80\x99s MMIS.\n\nBACKGROUND\n\nThe State agency administers the Medicaid program. During fiscal year 2013, the State agency\nprovided Medicaid services to more than 235,000 Medicaid beneficiaries, totaling approximately\n$1.8 billion in expenditures.\n\nThe State agency\xe2\x80\x99s MMIS processes Medicaid claims and manages sensitive claims data, such as\nbeneficiary names and Social Security numbers. The State agency uses the State\xe2\x80\x99s computer and\ntelecommunications facility to connect to Molina\xe2\x80\x99s Boise, Idaho, facility, which provides access\nto the MMIS computers located at Molina\xe2\x80\x99s New Mexico Data Center in Albuquerque, New\nMexico.\n\nTo accomplish our objective, we reviewed policies and procedures, interviewed staff, and\nreviewed supporting documentation. Also, we used audit software-scanning programs to\ndetermine whether selected network devices and the Medicaid claims database had security-\nrelated vulnerabilities.\n\n\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                  i\n\x0cWHAT WE FOUND\n\nThe State agency did not ensure that Molina implemented adequate information system general\ncontrols over the State agency\xe2\x80\x99s MMIS. Specifically, we identified 21 reportable weaknesses,\nwhich we consolidated into 6 findings and grouped into the following categories: access\ncontrols, configuration management, and security management.\n\n    \xe2\x80\xa2   Access controls. Molina had inadequate logical access security controls, including weak\n        user authentication for remote network access, an inadequate password history policy,\n        and inadequate encryption of network passwords.\n\n    \xe2\x80\xa2   Configuration management. Molina had inadequate security settings for network\n        devices, such as allowing the use of insecure network protocols (the language of rules\n        and conventions for communication between network devices) and the use of network\n        services (functions that help networks to operate more efficiently) that were not necessary\n        for Molina\xe2\x80\x99s network, and inadequate management of the Medicaid claims database. In\n        addition, Molina did not have written policies for its patch management program.\n\n    \xe2\x80\xa2   Security management. Molina had no security control policies and procedures to\n        periodically review and account for inventory of portable devices. In addition, Molina\n        had (1) no policies and procedures for annual security awareness training and\n        (2) inadequate policies and procedures for terminated and transferred employees and for\n        background checks of employees.\n\nWe ranked each of the findings as high impact.\n\nAlthough we did not find evidence that the weaknesses had been exploited, exploitation could\nresult in unauthorized access to, and disclosure of, sensitive information, as well as disruption of\ncritical operations to the Medicaid program. As a result, we believe that the weaknesses are\ncollectively and, in some cases, individually significant and could potentially compromise the\nintegrity of the Medicaid program. In addition, without proper safeguards, systems are\nunprotected from individuals and groups with malicious intent to obtain access to commit fraud,\nwaste, or abuse or launch attacks against other computer systems and networks.\n\nWHAT WE RECOMMEND\n\nWe recommend that the State agency ensure that Molina implements adequate information\nsystem general controls over the State agency\xe2\x80\x99s MMIS. Specifically, we recommend that the\nState agency ensure that Molina:\n\n    \xe2\x80\xa2   implements stronger user authentication for remote network access, strengthens its\n        password history policy, and uses a secure method to store its encrypted network\n        passwords;\n\n    \xe2\x80\xa2   implements secure configuration settings for its network devices;\n\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                     ii\n\x0c    \xe2\x80\xa2   implements policies and procedures to secure its Medicaid claims database;\n\n    \xe2\x80\xa2   implements policies for its patch management program;\n\n    \xe2\x80\xa2   implements policies and procedures to periodically review and account for inventory of\n        all portable devices and identify the custodian of those devices; and\n\n    \xe2\x80\xa2   implements (1) policies and procedures for annual security awareness training and\n        (2) adequate policies and procedures for terminated and transferred employees and for\n        background checks of employees.\n\nSTATE AGENCY COMMENTS AND OUR RESPONSE\n\nIn written comments on our draft report, the State agency concurred with all of our\nrecommendations except for parts of two recommendations. Specifically, the State agency did\nnot concur with parts of our first and sixth recommendations, respectively, that it ensure that\nMolina implements adequate user authentication for remote network access and implements\nadequate policies and procedures for terminated and transferred employees. The State agency\nprovided information on actions that it had taken or planned to take to address the\nrecommendations with which it concurred.\n\nAfter reviewing the State agency\xe2\x80\x99s comments, we revised our first recommendation to indicate\nthat the State agency ensure that Molina implements stronger user authentication for remote\nnetwork access in accordance with Federal guidance. Nothing in the State agency\xe2\x80\x99s comments\ncaused us to revise our sixth recommendation.\n\n\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                    iii\n\x0c                                                     TABLE OF CONTENTS\n\nINTRODUCTION .......................................................................................................................1\n\n           Why We Did This Review ...............................................................................................1\n\n           Objective ..........................................................................................................................1\n\n           Background ......................................................................................................................1\n                 Federal Oversight of States\xe2\x80\x99 Computer Systems .................................................1\n                 Idaho Medicaid Program......................................................................................1\n                 Information System General Controls .................................................................2\n\n           How We Conducted This Review....................................................................................2\n\nFINDINGS ...................................................................................................................................3\n\n           Federal Requirements ......................................................................................................3\n\n           Molina Had Inadequate Access Controls .........................................................................4\n                 Inadequate Logical Access Security Controls .....................................................4\n\n           Molina Had Inadequate Configuration Management ......................................................5\n                 Inadequate Security Settings for Network Devices .............................................5\n                 Inadequate Database Security Controls ...............................................................5\n                 No Patch Management Policies ...........................................................................6\n\n           Molina Had Inadequate Security Management................................................................7\n                 Inadequate Security Control Policies and Procedures .........................................7\n                 Inadequate Security-Related Personnel Policies and Procedures ........................7\n\nRECOMMENDATIONS .............................................................................................................8\n\nSTATE AGENCY COMMENTS AND\n OFFICE OF INSPECTOR GENERAL RESPONSE ...............................................................9\n\nAPPENDIXES\n\n           A: Audit Scope and Methodology ..................................................................................10\n\n           B: Requirements Related to Information System General Controls ...............................11\n\n           C: State Agency Comments ............................................................................................14\n\n\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-12-03009)                                                                     iv\n\x0c                                            INTRODUCTION\n\nWHY WE DID THIS REVIEW\n\nThe U.S. Department of Health and Human Services (HHS) oversees States\xe2\x80\x99 use of various\nFederal programs, including Medicaid. State agencies are required to establish appropriate\ncomputer system security requirements and conduct biennial reviews of computer system\nsecurity used in the administration of State plans for Medicaid and other Federal entitlement\nbenefits. This review is one of a number of HHS Office of Inspector General (OIG) reviews of\nStates\xe2\x80\x99 computer systems used to administer HHS-funded programs.\n\nIn a prior OIG audit, we reviewed the security of the Idaho Department of Health and Welfare\xe2\x80\x99s\n(State agency) Medicaid network. 1 As part of the State agency\xe2\x80\x99s overall administration of the\nMedicaid claims processing system, the State agency contracted with Molina Medicaid Solutions\n(Molina) 2 to operate its Medicaid Management Information System (MMIS). This review\nfocused solely on Molina\xe2\x80\x99s information system general controls over the State agency\xe2\x80\x99s MMIS.\n\nOBJECTIVE\n\nOur objective was to determine whether the State agency ensured that Molina implemented\nadequate information system general controls over the State agency\xe2\x80\x99s MMIS.\n\nBACKGROUND\n\nFederal Oversight of States\xe2\x80\x99 Computer Systems\n\nFederal regulations require State agencies to determine appropriate computer system security\nrequirements based on recognized industry standards or standards governing security of Federal\ncomputer systems and information processing (45 CFR part 95). In addition, these regulations\nrequire HHS to conduct periodic onsite reviews of State and local agencies to determine the\nadequacy of computer methods and practices and to ensure that computer equipment and\nservices are used for purposes consistent with proper administration under the Social Security\nAct.\n\nIdaho Medicaid Program\n\nThe State agency administers the Medicaid program. During fiscal year 2013, the State agency\nprovided Medicaid services to more than 235,000 Medicaid beneficiaries, totaling approximately\n$1.8 billion in expenditures.\n\n\n\n1\n Weaknesses in Idaho\xe2\x80\x99s Information System General Controls Over Its Medicaid Claims Processing System\nIncrease Vulnerabilities (A-09-12-03009), issued March 21, 2014.\n2\n  Molina is a wholly owned subsidiary of Molina Health Systems and provides business processing and information\ntechnology administrative services to State Medicaid agencies. As of June 25, 2014, Molina had contracts with\nIdaho and four other States.\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                                1\n\x0cThe State agency\xe2\x80\x99s MMIS processes Medicaid claims and manages sensitive claims data, such as\nbeneficiary names and Social Security numbers. The State agency uses the State\xe2\x80\x99s computer and\ntelecommunications facility to connect to Molina\xe2\x80\x99s Boise, Idaho, facility, which provides access\nto the MMIS computers located at Molina\xe2\x80\x99s New Mexico Data Center in Albuquerque, New\nMexico.\n\nInformation System General Controls\n\nInformation system general controls include policies and procedures that apply to an entity\xe2\x80\x99s\noverall computer operations. Some primary objectives of general controls are to safeguard data,\nprotect computer application programs, prevent unauthorized access to system software, and\nensure continued operations in case of unexpected interruptions.\n\nThe Medicaid program depends on general controls, which are critical to ensuring the\nconfidentiality, integrity, and availability of critical information and information systems. In\naddition, without proper safeguards, systems are unprotected from individuals and groups with\nmalicious intent to obtain access to commit fraud, waste, or abuse or launch attacks against other\ncomputer systems and networks. 3\n\nHOW WE CONDUCTED THIS REVIEW\n\nWe reviewed Molina\xe2\x80\x99s information system general controls over the State agency\xe2\x80\x99s MMIS. To\naccomplish our objective, we used appropriate procedures from the Government Accountability\nOffice\xe2\x80\x99s Federal Information System Controls Audit Manual (FISCAM), which provides\nguidance on evaluating general controls over computer-processed data from information\nsystems. We reviewed policies and procedures, interviewed staff, and reviewed supporting\ndocumentation. To perform our tests, we used audit software-scanning programs to identify\npotential security-related configuration vulnerabilities on two types of network devices and the\nMedicaid claims database.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\nAppendix A describes our audit scope and methodology.\n\n\n\n\n3\n  Fraud represents intentional acts of deception with knowledge that the action or representation could result in an\ninappropriate gain. Waste includes inaccurate payments for services, such as unintentional duplicate payments.\nAbuse represents actions inconsistent with acceptable business or medical practices.\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                                         2\n\x0c                                              FINDINGS\n\nThe State agency did not ensure that Molina implemented adequate information system general\ncontrols over the State agency\xe2\x80\x99s MMIS. Specifically, we identified 21 reportable weaknesses,\nwhich we consolidated into 6 findings and grouped into the following categories: access\ncontrols, configuration management, and security management.\n\n    \xe2\x80\xa2   Access controls. Molina had inadequate logical access security controls, including weak\n        user authentication for remote network access, an inadequate password history policy,\n        and inadequate encryption of network passwords.\n\n    \xe2\x80\xa2   Configuration management. Molina had inadequate security settings for network\n        devices, such as allowing the use of insecure network protocols (the language of rules\n        and conventions for communication between network devices) and the use of network\n        services (functions that help networks to operate more efficiently) that were not necessary\n        for Molina\xe2\x80\x99s network, and inadequate management of the Medicaid claims database. In\n        addition, Molina did not have written policies for its patch management program.\n\n    \xe2\x80\xa2   Security management. Molina had no security control policies and procedures to\n        periodically review and account for inventory of portable devices. In addition, Molina\n        had (1) no policies and procedures for annual security awareness training and\n        (2) inadequate policies and procedures for terminated and transferred employees and for\n        background checks of employees.\n\nWe ranked each of the findings as high impact.\n\nAlthough we did not find evidence that the weaknesses had been exploited, exploitation could\nresult in unauthorized access to, and disclosure of, sensitive information, as well as disruption of\ncritical operations to the Medicaid program. As a result, we believe that the weaknesses are\ncollectively and, in some cases, individually significant and could potentially compromise the\nintegrity of the Medicaid program. In addition, without proper safeguards, systems are\nunprotected from individuals and groups with malicious intent to obtain access to commit fraud,\nwaste, or abuse or launch attacks against other computer systems and networks.\n\nFEDERAL REQUIREMENTS\n\nFederal requirements from the Health Insurance Portability and Accountability Act (HIPAA)\nSecurity Rule for access management appear in 45 CFR part 164. For additional requirements,\nwe used Office of Management and Budget (OMB) Circular No. A-130, Appendix III; Federal\nInformation Processing Standards Publication (FIPS) 140-2, Security Requirements for\nCryptographic Modules; National Institute of Standards and Technology (NIST) Special\nPublication 800-12, An Introduction to Computer Security: The NIST Handbook; NIST Special\nPublication 800-40, Version 2, Creating a Patch and Vulnerability Management Program; NIST\nSpecial Publication 800-50, Building an Information Technology Security Awareness and\nTraining Program; and NIST Special Publication 800-53, Revision 3, Security and Privacy\nControls for Federal Information Systems and Organizations.\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                     3\n\x0cSee Appendix B for specific provisions and citations.\n\nMOLINA HAD INADEQUATE ACCESS CONTROLS\n\nAccess controls limit or detect inappropriate access to computer resources (data, equipment, and\nfacilities), thereby protecting them from loss, disclosure, and unauthorized modification. Such\ncontrols include both logical and physical controls:\n\n       \xe2\x80\xa2   Logical access controls require users to authenticate themselves (by using passwords or\n           other identifiers) and limit the files and other resources that authenticated users can\n           access and the actions that they can execute.\n\n       \xe2\x80\xa2   Physical access controls restrict physical access to computer resources and protect them\n           from intentional or unintentional loss or impairment.\n\nIn assessing Molina\xe2\x80\x99s access controls, we identified weaknesses in its logical access security\ncontrols. Inadequate access controls diminish the reliability of computerized information and\nincrease the risk of unauthorized disclosure, modification, and destruction of sensitive\ninformation and disruption of service.\n\nInadequate Logical Access Security Controls\n\nMolina had not implemented adequate logical access security controls. Specifically, we noted\nthe following:\n\n       \xe2\x80\xa2   Molina had weak user authentication for remote network access. 4\n\n       \xe2\x80\xa2   Molina had an inadequate policy for the password history setting to secure its network. 5\n\n       \xe2\x80\xa2   Molina did not store its encrypted passwords on its network server using a secure\n           method.\n\nMolina officials stated that they considered their user authentication procedures and password\nsettings secure and compliant with HIPAA requirements and established industry practices.\nMolina officials also stated that they would store their encrypted passwords using a secure\nmethod.\n\nWithout strong logical access security controls, there is an increased risk of unauthorized access\nto sensitive computer systems and data.\n\n\n\n\n4\n    Authentication is a process that confirms a user\xe2\x80\x99s identity before he or she can access the network.\n5\n Password history determines the number of unique new passwords that have to be associated with a user account\nbefore an old password can be reused.\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                                   4\n\x0cMOLINA HAD INADEQUATE CONFIGURATION MANAGEMENT\n\nConfiguration management provides reasonable assurance that (1) changes to information system\nresources, such as the settings of devices on the network, 6 are authorized and (2) systems are\nconfigured and operated securely and as intended. Configuration management policies and\nprocedures should be developed, documented, and implemented at the entitywide, system\n(hardware), and application (software) levels to ensure the security of the system.\n\nIn assessing Molina\xe2\x80\x99s configuration management, we identified weaknesses in its security\nsettings for network devices, its database security controls, and its patch management policies.\nWeaknesses in these elements increase the risk that network devices are not configured properly\nand securely; a secure configuration includes appropriate patching levels, disabling of\nunnecessary services, and protection against viruses and worms.\n\nInadequate Security Settings for Network Devices\n\nMolina did not adequately configure secure settings for its network devices. We judgmentally\nselected two types of network devices (three switches and one firewall) for testing and used an\naudit software-scanning program that queries and extracts information from the devices to\nidentify settings with potential security-related configuration vulnerabilities. We identified a\ntotal of nine weaknesses in this area: five related to switches and four related to switches and the\nfirewall. For example, Molina allowed the use of insecure network protocols 7 to manage\nnetwork devices and did not adequately protect logging information on some of its network\ndevices.\n\nMolina officials agreed to review device configurations and remove potential security-related\nconfiguration vulnerabilities.\n\nBecause Molina\xe2\x80\x99s network devices are integral to ensuring the security of the State agency\xe2\x80\x99s\nMMIS, failure to adequately secure the devices exposes the network and its resources to attacks\non the confidentiality, integrity, and availability of sensitive information, such as electronic\nprotected health information (ePHI). Such information includes names, addresses, birth dates,\nSocial Security numbers, and medical information.\n\nInadequate Database Security Controls\n\nMolina did not adequately secure its Medicaid claims database. Specifically, we noted the\nfollowing:\n\n      \xe2\x80\xa2    Molina did not have written policies and procedures for database management.\n\n\n6\n  Devices used to secure networks include (1) switches that forward information among segments of a network,\n(2) firewalls that prevent unauthorized access to or from a network, and (3) routers that filter and forward data along\nthe network.\n7\n    Network protocols define a language of rules and conventions for communication between network devices.\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                                        5\n\x0c       \xe2\x80\xa2   Molina did not regularly review database logs to ensure the integrity and security of\n           system access, system configurations, and access to ePHI.\n\n       \xe2\x80\xa2   Molina did not adequately encrypt its Medicaid claims database.\n\n       \xe2\x80\xa2   Molina did not properly configure access to the Medicaid claims database. We used an\n           audit software-scanning program that queries and extracts information from the database\n           to identify potential security-related configuration vulnerabilities. We identified some\n           Molina database users and groups that had more privileges than were necessary for their\n           job functions.\n\nMolina officials stated that they are developing policies and procedures for database\nmanagement, reviewing database logs when necessary, and testing a new database encryption\ntechnology. Molina officials also stated that some database users were given excess privileges\non the database when it was built and that the privileges were not later removed.\n\nBecause the security of Molina\xe2\x80\x99s Medicaid claims database is essential to protecting sensitive\nclaims data, inadequate security controls expose the database to attacks on the confidentiality,\nintegrity, and availability of ePHI:\n\n       \xe2\x80\xa2   Without written policies and procedures for database management, there is an increased\n           risk of unauthorized access to sensitive data housed in the database.\n\n       \xe2\x80\xa2   Without regular reviews of database logs, an entity has limited ability to establish\n           accountability, ensure compliance with security policies, and investigate violations.\n\n       \xe2\x80\xa2   Without adequate database encryption, there is an increased risk of unauthorized users\n           getting access to, and possibly altering, the contents of sensitive Medicaid data, such as\n           ePHI, including names, addresses, birth dates, Social Security numbers, and medical\n           information.\n\n       \xe2\x80\xa2   Without proper database access configurations, users and groups that have more\n           privileges than necessary may be able to obtain unauthorized access to sensitive data\n           housed in the database.\n\nNo Patch Management Policies\n\nMolina did not have written policies for its patch management program. 8 However, Molina had\nadequate procedures to test and deploy patches.\n\nMolina officials stated that they had identified a gap in their policies and are developing a formal\npatch management policy based on their current procedures.\n\n\n\n8\n    A patch is a piece of software designed to fix problems in or update a computer program.\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                          6\n\x0cWithout adequate patch management policies to address software vulnerabilities, an entity\ncannot be sure that patches have been effectively applied and that there are not any configuration\ndiscrepancies, which could allow an attacker to gain unauthorized access to sensitive\ninformation, such as ePHI.\n\nMOLINA HAD INADEQUATE SECURITY MANAGEMENT\n\nAn entitywide program for security planning and management is the foundation of an entity\xe2\x80\x99s\nsecurity control structure and a reflection on senior management\xe2\x80\x99s commitment to addressing\nsecurity risks.\n\nIn assessing Molina\xe2\x80\x99s entitywide security program, we identified weaknesses in the following\ncritical elements: (1) documenting and implementing security control policies and procedures\nand (2) implementing effective security awareness and other security-related personnel policies\nand procedures. Weaknesses in these elements increase the risk of unauthorized use, disclosure,\nmodification, or loss of sensitive information and information systems supporting the agency\xe2\x80\x99s\nmission.\n\nInadequate Security Control Policies and Procedures\n\nMolina had not implemented adequate security control policies and procedures. Specifically, we\nnoted that Molina did not have specific inventory policies and procedures for portable devices,\nsuch as laptop computers and Universal Serial Bus storage devices, and did not periodically\nreview and account for inventory of these devices. In addition, Molina did not identify the\ncustodian of portable devices.\n\nMolina officials stated that they did not know it was necessary to periodically review the\ninventory and identify the custodian of portable devices. Molina officials also stated that they\nbelieved the software they used to track the connection of devices to the network was sufficient\nto review and account for portable devices.\n\nWithout adequate inventory controls for all portable devices, Molina is at risk of a data breach.\nPortable devices costing as little as $50 could contain ePHI and be easily lost or stolen, making\nMolina potentially liable for millions of dollars because of a data breach. 9\n\nInadequate Security-Related Personnel Policies and Procedures\n\nMolina had not implemented adequate security-related personnel policies and procedures.\nSpecifically, we noted the following:\n\n    \xe2\x80\xa2   Molina did not have policies and procedures that required its employees to complete\n        general security awareness training annually. We judgmentally selected five Molina\n        employees and found that none of them had completed general security awareness\n        training in over a year.\n\n9\n The Ponemon Institute\xe2\x80\x99s report entitled 2013 Cost of Data Breach Study: United States indicated that the average\ncost of a data breach for an organization in 2012 was $5.4 million.\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                                      7\n\x0c    \xe2\x80\xa2   Molina did not have adequate policies and procedures for terminated or transferred\n        employees. We judgmentally selected six terminated employees and one transferred\n        employee and found that Molina had not completed exit documents for any of the seven\n        employees. Exit documents show the steps to be completed when an employee is\n        terminated or transferred, including collecting keys and electronic keycards and notifying\n        network administrators to remove the employee\xe2\x80\x99s network access. In addition, Molina\xe2\x80\x99s\n        policies and procedures required the completion of exit documents only for employees\n        being terminated, not for those being transferred.\n\n    \xe2\x80\xa2   Molina did not have adequate policies and procedures to ensure that employee\n        background checks were performed. We judgmentally selected 10 employees who had\n        access to ePHI and found that Molina did not have background check documentation for\n        2 of them.\n\nMolina officials stated that they were not aware that annual refresher training on general security\nawareness was required. Molina officials agreed that exit documents should be completed for all\nemployees being terminated or transferred; they also stated that exit documents were not\ncompleted for terminated employees and were not required to be completed for transferred\nemployees because of an administrative oversight. Molina officials stated that they could not\nfind the background check documentation for two employees.\n\nWithout policies and procedures requiring employees to complete general security awareness\ntraining annually, there is an increased risk that employees with access to the MMIS may not be\nappropriately trained to fulfill their security responsibilities.\n\nWithout adequate policies and procedures on completion of exit documents, Molina runs the risk\nof failing to remove transferred and terminated employees\xe2\x80\x99 physical and logical access, which\ncould result in unauthorized access to ePHI, compromising of data, or sabotaging of information\nsystems.\n\nWithout adequate policies and procedures on performing background checks of employees, an\norganization runs the risk of hiring unqualified or untrustworthy individuals. In addition,\nbackground checks help determine whether an individual is suitable for a given position.\n\n                                      RECOMMENDATIONS\n\nWe recommend that the State agency ensure that Molina implements adequate information\nsystem general controls over the State agency\xe2\x80\x99s MMIS. Specifically, we recommend that the\nState agency ensure that Molina:\n\n    \xe2\x80\xa2   implements stronger user authentication for remote network access, strengthens its\n        password history policy, and uses a secure method to store its encrypted network\n        passwords;\n\n    \xe2\x80\xa2   implements secure configuration settings for its network devices;\n\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                    8\n\x0c    \xe2\x80\xa2   implements policies and procedures to secure its Medicaid claims database,\n\n    \xe2\x80\xa2   implements policies for its patch management program;\n\n    \xe2\x80\xa2   implements policies and procedures to periodically review and account for inventory of\n        all portable devices and identify the custodian of those devices; and\n\n    \xe2\x80\xa2   implements (1) policies and procedures for annual security awareness training and\n        (2) adequate policies and procedures for terminated and transferred employees and for\n        background checks of employees.\n\n                           STATE AGENCY COMMENTS AND\n                      OFFICE OF INSPECTOR GENERAL RESPONSE\n\nIn written comments on our draft report, the State agency concurred with all of our\nrecommendations except for parts of two recommendations. Specifically, the State agency did\nnot concur with part of our first recommendation that it ensure that Molina implements adequate\nuser authentication for remote network access, stating that Molina\xe2\x80\x99s remote network access is\nHIPAA-compliant and meets current standards for security and privacy controls. Also, the State\nagency did not concur with part of our sixth recommendation that it ensure that Molina\nimplements adequate policies and procedures for terminated and transferred employees, stating\nthat Molina uses an electronic ticket system instead of a single paper exit document. The State\nagency provided information on actions that it had taken or planned to take to address the\nrecommendations with which it concurred.\n\nThe State agency\xe2\x80\x99s comments are included as Appendix C. We redacted information that we\nconsidered to be sensitive.\n\nTo help secure ePHI, NIST Special Publication 800-53, Revision 3, recommends using\ntwo-factor authentication for network access. Therefore, we revised our first recommendation to\nindicate that the State agency ensure that Molina implements stronger user authentication for\nremote network access. Molina\xe2\x80\x99s Policy and Procedure No. 5.0, section III, states that an\nout-processing checklist is to be completed for terminated employees. The State agency did not\nprovide us with paper documents or show us a feature in the electronic ticket system that\nrepresented a completed out-processing checklist for any of the terminated or transferred\nemployees that we judgmentally selected. Nothing in the State agency\xe2\x80\x99s comments caused us to\nrevise our sixth recommendation.\n\n\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                   9\n\x0c                   APPENDIX A: AUDIT SCOPE AND METHODOLOGY\n\nSCOPE\n\nWe reviewed Molina\xe2\x80\x99s information system general controls over the State agency\xe2\x80\x99s MMIS. We\ndid not perform penetration testing or review Molina\xe2\x80\x99s overall internal control structure.\n\nWe conducted our audit from November 2012 to August 2013. We performed our fieldwork at\nMolina\xe2\x80\x99s facility in Boise, Idaho, and at its New Mexico Data Center in Albuquerque,\nNew Mexico.\n\nMETHODOLOGY\n\nTo accomplish our objective, we used appropriate procedures from FISCAM, which provides\nguidance on evaluating general controls over computer-processed data from information\nsystems. We reviewed policies and procedures, interviewed staff, and reviewed supporting\ndocumentation. To perform our tests, we used audit software-scanning programs to identify\npotential security-related configuration vulnerabilities and judgmentally selected two types of\nnetwork devices and the Medicaid claims database.\n\nTo determine the potential impact of each finding, we used information described in FIPS\nPublication 199, which defines the following three levels of potential impact should there be a\nbreach of security (i.e., a loss of confidentiality, integrity, or availability):\n\n    \xe2\x80\xa2   low if the loss of confidentiality, integrity, or availability could be expected to have a\n        limited adverse effect on organizational operations, organizational assets, or individuals;\n\n    \xe2\x80\xa2   moderate if the loss of confidentiality, integrity, or availability could be expected to have\n        a serious adverse effect on organizational operations, organizational assets, or\n        individuals; and\n\n    \xe2\x80\xa2   high if the loss of confidentiality, integrity, or availability could be expected to have a\n        severe or catastrophic adverse effect on organizational operations, organizational assets,\n        or individuals.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\n\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                    10\n\x0c                       APPENDIX B: REQUIREMENTS RELATED TO\n                      INFORMATION SYSTEM GENERAL CONTROLS\n\nGENERAL FEDERAL REQUIREMENTS\n\nFederal regulations (45 CFR part 95) require State agencies to determine appropriate computer\nsystem security requirements based on recognized industry standards or standards governing\nsecurity of Federal computer systems and information processing. In addition, these regulations\nrequire HHS to conduct periodic onsite reviews of State and local agencies to determine the\nadequacy of computer methods and practices and to ensure that computer equipment and\nservices are used for purposes consistent with proper administration under the Social Security\nAct.\n\nFederal requirements from the HIPAA Security Rule for access management appear in 45 CFR\npart 164.\n\nACCESS CONTROLS\n\nFederal regulations state that for person and entity authentication, covered entities must\n\xe2\x80\x9c[i]mplement procedures to verify that a person or entity seeking access to electronic protected\nhealth information is the one claimed\xe2\x80\x9d (45 CFR \xc2\xa7 164.312(d)).\n\nNIST Special Publication 800-53, Revision 3, Security and Privacy Controls for Federal\nInformation Systems and Organizations, Appendix F, section IA-2, states that to enhance\ncontrols, the information system should use multifactor authentication for network access to\nprivileged and nonprivileged accounts such that one of the factors is provided by a device\nseparate from the information system being accessed.\n\nMolina\xe2\x80\x99s password policies and procedures, as contained in Password Management document\nIS-80.60, provide general requirements for passwords, including password history.\n\nMicrosoft\xe2\x80\x99s TechNet document \xe2\x80\x9cEnforce password history,\xe2\x80\x9d under best practices, recommends a\npassword history setting of 24 generations.\n\nFederal regulations (45 CFR \xc2\xa7 164.312(a)(1)) state that a covered entity must \xe2\x80\x9c[i]mplement\ntechnical policies and procedures for electronic information systems that maintain electronic\nprotected health information to allow access only to those persons or software programs that\nhave been granted access rights as specified in \xc2\xa7 164.308(a)(4).\xe2\x80\x9d\n\nCONFIGURATION MANAGEMENT\n\nFederal regulations state that covered entities must \xe2\x80\x9c[i]mplement technical security measures to\nguard against unauthorized access to electronic protected health information that is being\ntransmitted over an electronic communications network\xe2\x80\x9d (45 CFR \xc2\xa7 164.312(e)(1)) and also\nmust \xe2\x80\x9c[i]mplement a mechanism to encrypt electronic protected health information whenever\ndeemed appropriate\xe2\x80\x9d (45 CFR \xc2\xa7 164.312(e)(2)(ii)).\n\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                     11\n\x0cMolina\xe2\x80\x99s password policies and procedures, as contained in Password Management document\nIS-80.60, provide general requirements for passwords, including network devices.\n\nNIST Special Publication 800-53, Revision 3, section AT-5, recommends that organizations stay\nup to date with the latest recommended security practices, techniques, and technologies. Current\nindustry best practices include developing and implementing policies and procedures for\nsecuring databases.\n\nNIST Special Publication 800-53, Revision 3, Appendix F, section AU-6, states that\norganizations review and analyze information system audit records. Specifically, the\ninformation system provides the capability to centrally review and analyze audit records from\nmultiple components within the system.\n\nFederal regulations state that a covered entity must \xe2\x80\x9c[i]mplement a mechanism to encrypt and\ndecrypt electronic protected health information\xe2\x80\x9d (45 CFR \xc2\xa7 164.312(a)(2)(iv)).\n\nFederal regulations (45 CFR \xc2\xa7 164.312(a)(1)) state that a covered entity must \xe2\x80\x9c[i]mplement\ntechnical policies and procedures for electronic information systems that maintain electronic\nprotected health information to allow access only to those persons or software programs that\nhave been granted access rights as specified in \xc2\xa7 164.308(a)(4).\xe2\x80\x9d\n\nFederal regulations state that a covered entity must \xe2\x80\x9c[i]mplement policies and procedures to\nprotect electronic protected health information from improper alteration or destruction\xe2\x80\x9d (45 CFR\n\xc2\xa7 164.312(c)(1)).\n\nNIST Special Publication 800-40, Version 2, Creating a Patch and Vulnerability Management\nProgram, section 2.7, states:\n\n        Organizations should deploy vulnerability remediations [patches] to all systems\n        that have the vulnerability, even for those systems that are not at immediate risk\n        of exploitation. \xe2\x80\xa6 Applying patches to multiple systems is a constant\n        administrative challenge that may seem especially daunting when implementing\n        patches on hundreds or thousands of servers and desktop systems. This task can\n        be made less burdensome with the use of applications that automatically distribute\n        updates to end-user computers.\n\nSECURITY MANAGEMENT\n\nFederal regulations state that a covered entity must \xe2\x80\x9c[i]mplement policies and procedures that\ngovern the receipt and removal of hardware and electronic media that contain electronic\nprotected health information into and out of a facility, and the movement of these items within\nthe facility\xe2\x80\x9d (45 CFR \xc2\xa7 164.310(d)(1)).\n\nNIST Special Publication 800-53, Revision 3, section MP-5, states that organizations document\nactivities associated with the transport of information system media and that a custodian of the\nmedia should be identified at all times.\n\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                    12\n\x0cOMB Circular No. A-130, Appendix III, section A.3.a.(2)(b), states that training controls ensure\nthat \xe2\x80\x9call individuals are appropriately trained in how to fulfill their security responsibilities\nbefore allowing them access to the system \xe2\x80\xa6 and periodic refresher training shall be required for\ncontinued access to the system.\xe2\x80\x9d\n\nNIST Special Publication 800-50, Building an Information Technology Security Awareness and\nTraining Program, section 3.3, states that at a minimum the entire workforce should be exposed\nto awareness material annually.\n\nFederal regulations state that a covered entity must \xe2\x80\x9c[i]mplement policies and procedures to\nprotect electronic protected health information from improper alteration or destruction\xe2\x80\x9d (45 CFR\n\xc2\xa7 164.312(c)(1)).\n\nNIST Special Publication 800-12, An Introduction to Computer Security: The NIST Handbook,\nsection 10.2.5.1, states that, because terminations can be expected regularly, a standard set of\nprocedures for outgoing or transferred employees should be put in place. These procedures are\npart of the standard employee separation process that is in place to ensure that system accounts\nare removed in a timely manner. The separation process also includes the control of keys; the\nbriefing on the responsibilities for confidentiality and privacy; and several other functions not\nnecessarily related to information security, such as the return of property.\n\nMolina\xe2\x80\x99s Policy and Procedure No. 5.0, Termination and/or Separation, section III.B, step 8,\nstates that, for offsite employees, the supervisor/manager completes an out-processing checklist\nand forwards it to Human Resources. Step 9 states that, for onsite employees, Human Resources\ncompletes an out-processing checklist.\n\nOMB Circular No. A-130, Appendix III, section A.3.a.(2)(c), states that background check\nscreening must occur before an individual is authorized to bypass significant technical and\noperational security controls and periodically thereafter.\n\n\n\n\nMolina\xe2\x80\x99s Information System General Controls Over Idaho\xe2\x80\x99s MMIS (A-09-13-03001)                  13\n\x0c                                  APPENDIX C: STATE AGENCY COMMENTS \n\n\n\n\n                                                   I D A H 0                DEPARTMENT                                             0 F\n\n                                                  HEALTH & WELFARE\n                 C.L. \'BUTCH" OTIER- Governor                                                                PAUL J. LEARY \xe2\x80\xa2 Administrator\n                 RICHARD M. ARMSTRONG- Director                                                                   DIVISIONOF MEDICAID\n                                                                                                                      PostOffice Box 83720\n                                                                                                                  Boise, Idaho 8372().1)009\n                                                                                                                   PHONE: (208) 334-5747\n                                                                                                                       FAX: (208) 364-1811\n\n\n\n            May 12,2014\n\n            Ms. Lori A. Ahlstrand\n            Regional Inspector General\n            Office ofAudit Services, Region IX\n            Depattment of Health and Human Services\n            90 - i 11 Street, Ste 3-650\n            San Francisco, CA 94103\n\n            RE: Report Number A-09-13-03001\n\n            Dear Ms. Ahlstrand:\n\n            In response to yo ur letter of Apri l 25, 20 14, below are the Depattment\'s responses to the draft \n\n            recommendations in Rep01t Number A-09-13-0300 I , Weaknesses in Molina Medicaid Solutions \' \n\n            Information System General Controls Over Idaho \'s Medicaid Claims Processing System \n\n            Increase Vulnerabilities. \n\n\n                    1. Report Recommendation:\n                       The State agency ensure that Molina (a) implements adequate user authentication for\n                       remote network access, (b) strengthens its password history policy, and (c) uses a secure\n                       method to store its encrypted network p asswords\n\n                         Department Response: Do not concut\xc2\xb7 item (a) concut\xc2\xb7 items (b) & (c)\n\n                        (a)We do not concut\xc2\xb7 because Molina\'s remote network access is HIPAA compliant and\n                        m eets current industry standards for secutity and privacy controls. However, as\n                        suggested by the auditor, Molina is currently analyzing the enhancement of their controls\n                        by                                   which was recently recommended by the National\n                        Institute of Standards and Technology (NIST).\n\n                         (b) We concur with this recommendation. The Depattment will request that Molin a\n                         strengthen its password history                              as recommended by the\n                         OIG.\n\n                        (c) We concur wi th this recommendation. \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2\n                        \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2\'&s r ecommended by the OIG.\n\n\n\n           10\n                Office of Inspector General Note -The deleted text has been redacted because it is sensitive infonnatio n.\n\n\n\n\nMolina\'s Information System General Controls Over Idaho\'s MMIS (A-09 -I3-0300!)                                                               14\n\x0c                 May 12, 2014 \n\n                 Page 2 \n\n\n                     2. \t Report Recommendation:\n                          The State agency ensure that Molina implements secure confi guration settings for its\n                          network devices.\n\n                         Department Response: Concur\n                         Although the OIG                    findings do show vulnerabilities on some network\n                         settings, these are co~1s idered low impact \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7 \xc2\xb7\n                         \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 . However, Molina\' s Network team wi ll address this\n                         recommendation as part of the upcoming upgrade of their network devices.\n\n                     3 . \t Report R ecommendation:\n                           The State agency ensure that Molina implements policies and procedures to secure its\n                           Medicaid claims database\n\n                         Department Response: Concur\n                         Molina\'s database security policies and procedures were in the p rocess of being\n                         documented at the time ofthe OIG Audit. This document has since been published and is\n                         in use.\n\n                     4. \t Report Recommendation:\n                          The State agency ensure that Molina implements policies for its patch management\n                          prog ram.\n\n                         Department Response: Concm\xc2\xb7 \n\n                         Molina\'s patch management policy has been published subsequent to the OIG audit. \n\n\n                     5. \t Report Recommendation:\n                          The State agency ensure that Molina implements policies and procedures to periodically\n                          review and acco unt for inventory ofall portable devices and identify the custodian of\n                          those devices.\n\n                         Department Response: Concur\n                         Molina\'s Asset Inventory Policy is in the process of being documented and will be\n                         published shortly.\n\n                     6. \t Rep01\xc2\xb7t Recommendation:\n                          The State agency ensure that Molina implements (a) policies and procedures for annual\n                          security awareness training and (b) adequate policies and procedures for terminated and\n                          trans ferred employees and (c) for background checks of employees.\n\n                         Department Response: Concur with items (a) & (c); do not concur item (b)\n                         (a) We concur because the annual requirement was not in place at the time of the\n                         auditor\'s visit. Molina now requires all its employees to ta ke the following security and\n                         privacy awareness trainings annually:\n\n\n\n\n            II\n                 Office of Inspector General Note -The deleted text has bee n redacted because it is sensitive infonnation.\n\n\n\n\nMolina \'s Information System General Controls Over Idaho \'s MMIS (A-09-I3-0300I)                                              15\n\x0c             May 12, 20 14\n             Page 3\n\n\n\n\n                      (b) We do not concur because although Molina does not have a s ingle paper exit\n                      document, they have an electronic ticket system that      the same function more\n                      effectively. When an           is terminated,\n\n\n\n\n                     (c) We concur because Molina could not provide the backgrow1d check documentation.\n                     This sh01tcoming has been brought to the M olina HR department\'s attention and\n                     procedures have since been reinforced to ensure this will not happen in the future.\n\n             If you have any questions regarding the Depmtm ent\'s responses to these recommendations, please\n                                                                                                       12\n             contact                                                                  at\n\n\n\n\n            12\n             0ffice of Inspector General Note -The de leted text has bee n redacted because it is sensitive infonnation.\n\n\n\n\nMolina\'s Information System General Controls Over Idaho \'s MMIS (A-09-13-03001)                                            16\n\x0c'